ESP is protocol 50 and AH is 51. Neither opening 52 nor leaving 50 closed is likely to help.
David Gillett > -----Original Message----- > From: Douglas Gullett [mailto:[EMAIL PROTECTED] > Sent: August 2, 2003 08:49 > To: Adam Overlin; [EMAIL PROTECTED] > Subject: RE: Cisco Workaround > > > Adam, > > If the "cheat" sheet you are referring to is the Cisco > Security Alert, I am > guessing that you put in their access-list. For IPSEC you > need to have > Protocol Port 51 (ESP) and Protocol Port 52 (AH) open, as > well as UDP Port > 500 (isakmp). > > Doug > > -----Original Message----- > From: Adam Overlin [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2003 12:59 PM > To: [EMAIL PROTECTED] > Subject: RE: Cisco Workaround > > > I just joined this list so I haven't seen the whole thread on > this issue, > thus my company's particular issue may have been discussed > already, but I > thought I would see if I could get some help anyway. > > Background: > We have a Cisco 827 router and a PIX 506e locally. Router > being in front of > the PIX. We also have a co-location facility that we are > connected via a > constant VPN tunnel. There we have a PIX 515e. The two > pixes are what > control the VPN/encryption. > > Issue: > The pixes don't run IOS so we didn't have to worry about > upgrading those. > However, the router does. So we upgraded the router to the > latest version. > Everything worked ok, except, the VPN tunnel. That got > knocked out. Keep > in mind that I am no Cisco expert. I did the upgrade with > the help of a > *cheat* sheet that Cisco sent us. All I did was copy the > information. I > didn't really understand what I was actually typing into the > console (we > have another network consultant that is responsible for the > "understanding > part, although he didn't know why it wasn't working either). :) > > So after a little messing around we reverted back to the old IOS and > everything was peachy. A couple days later they sent us > another version to > upgrade with and that did the same thing. Needless to say, > we are still > upgradeless. > > If there are any suggestions out there, I would really > appreciate it. If I > didn't give enough info, please let me know, and I will get > you whatever you > need (within my power of course). > > Thanks in advance, > Adam > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
